In my last column, I wrote about the Visible Ops Handbook, which I recommend to everyone involved in system and network operations. Today I continue on the same theme by starting a review of the newer booklet, "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps," by Gene Kim, Paul Love and George Spafford.

The booklet has only 108 pages and measures 5.5" x 8" - easy to carry around. A PDF version is also available and can be printed in 8.5" x 11" format.

The introduction discusses the growing concern over security, caused partly by internal perceptions of need and partly by external pressures of government regulation and contractual obligations. The industry consensus is that “the business and IT must integrate sustainable security practices into IT operational and service development processes.” Like the Visible Ops Handbook, Visible Ops Security is “based on the study of the common practices of high-performing IT organizations…. [The ITPI] has studied and benchmarked more than 850 IT organizations to gain deeper insights into what enables high performers to excel.”

Two categories of problems confront IT personnel and the authors provide many specific examples of each:

* Conflicts between the requirements of normal IT operations or development practices and expectations of security.
* Interference of security standards and practices with effective and efficient operations.

Another fundamental problem is that "Although IT supports the business in many different ways, IT has two primary functions:

1. Developing new capabilities and functionality to achieve business objectives.
2. Operating and maintaining existing IT services to safeguard business commitments."

The authors write, “Visible Ops Security describes how to resolve this core chronic conflict by enabling the business to simultaneously respond more quickly to urgent business needs and provide stable, secure and predictable IT services.”

The remainder of the introduction provides an overview of the four phases of the systematic approach to resolving fundamental problems in the operations and security sectors:

1. Stabilize the patient and get plugged into production
2. Find business risks and fix fragile artifacts
3. Implement development and release controls
4. Continual improvement

In my next columns, I’ll look at how the authors approach each of these phases in more detail.

Get the book.

* * *

Gene H. Kim, CISA is co-founder and chief technology officer of Tripwire. He is also co-founder of the Information Technology Process Institute. 

Paul Love, MS, CISSP, CISA, CISM, Security+ is a distinguished computer scientists and security expert and author (see for example Beginning Unix).

George Spafford, MBA, CISA, Service Manager is a principal consultant with Pepperweed Consulting and is also the author of the popular list "The News."

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.